Which SSL should I use for my API?

So this is a question I got asked lately: which SSL should I use for my API?. You might have read my previous post which explains in detail which SSL is suited for which purpose, but it focuses mainly on functionality for browsers.

Take for example Public Key Pinning (HPKP), the added value for this function depends highly on the browser in which the website is visited. If the browser does not check if the pin matches the certificate, this function does not add any value at all.

So why does this matter? Most people will have the most recent browser version right? Well, first of all, that's not true. You'll be amazed by the amount of people which still use Internet Explorer. But think about someone accessing an API, they will most likely do this programmatically and they will also most likely not implement HPKP checking.

To get back to the question which SSL to use for your API, don't use EV. Recently I came across an API using EV, this is actually just wasting money. I don't think there is any API client/wrapper which checks if the API it's using uses an EV certificate.

As I've discussed earlier in my post about SSL the only added value with an EV certificate is the visual clue to the website user that the website is owned by a legitimate company.

An API is not meant to provide visual clues to it's users

So, which SSL should you use for your API? Anything will do. Just make sure you've taken the appropriate measures to secure your private key and server configuration.

It is important to provide your API-users with information when you are about to use a different certificate. Programmers might not implement HPKP checking in there code, they might simply verify if the certificate is the certificate they expect. If you change it without notice, you might break someone's code. Twilio for example changed it's API recently and provided a notice in advance that this was going to happen (also because they were switching to a 2048 bit certificate).

Ruben Gommers

Read more posts by this author.

Doetinchem, Gelderland https://rubeng.nl

Subscribe to ruben gommers blog

Get the latest posts delivered right to your inbox.

or subscribe via RSS with Feedly!